Who must appoint a DPO? What does the General Data Protection Regulation (GDPR) require regarding a Data Protection Officer (or DPO)? This is one of the questions the GDPR, which the European Parliament recently adopted, has made many organisations ask. Another one of those questions is: What are some of the implications of those requirements for those that the GDPR applies to (those who either do business in Europe or have dealings with the personal information of European citizens)? The shortest answer to give to these questions is that if the GDPR applies to your business, the Data Protection Officer position is a key position to think about.
What is a Data Protection Officer (or DPO)?
Maybe people ask the question – what is a Data Protection Officer (or DPO)? Controllers and processors of data, in terms of the GDPR, appoint a Data Protection Officer (or DPO) to help them comply with data protection law. Once appointed, the officer looks into the risks that data processing can expose a business to. The officer helps the business in their attempts to avoid those risks. Basically, the officer is the link between the public (including other organisations that you may work with) and your organisation, when it comes to the processing of personal information. This means that the public can direct their data protection queries to this officer. The officer will then report directly to management, and must be given all resources necessary to carry out their functions.
Who needs a Data Protection Officer?
The GDPR does NOT require every controller and processor to appoint a Data Protection Officer.
Public bodies must appoint one
The GDPR says public bodies (except courts carrying out their normal judicial functions) have to appoint a DPO. The immediate issue that arises there is: What is a public body? The GDPR does not define a public body. The Information Commissioner’s Office (ICO) suggests that apart from State-Owned Entities, and other bodies that clearly only exist as public bodies, it will be left to the national laws of Member States to determine what private bodies will also be deemed public bodies for the purposes of the GDPR.
Based on this, South African organisations will probably have to look at what the laws of the Member States whose people they process personal data about, say. In other words, do those laws make it clear which organisations are always public bodies, and which are only public bodies when they serve certain functions?
Core activities involving regular processing on a large scale
Organisations are struggling to understand what the GDPR means when it requires controllers and processors whose “core activities” involve processing special categories of personal data, for example, “on a large scale” to appoint DPOs. They are also struggling to understand what the GDPR means about processing that involves regular and systematic monitoring of data subjects on a “large scale”. These organisations want to understand whether or not their processing activities fall within the ambit of that requirement.
Regular and systematic monitoring of data subjects on a large scale
The Board’s Guidelines on Data Protection Officers explains that core activities, firstly, are activities that an organisation wants to undertake in order to achieve its main goals. A hospital, for example, mainly aims to provide healthcare.
When explaining the meaning of “regular and systematic monitoring,” the Working Party, using the same hospital example, states that as a consequence of providing healthcare, the hospital will regularly, and in accordance with a system, collect health data. Another example to think of in explaining these words is an organisation that is the outsourced HR function for other organisations. This organisation’s core activities will be activities that help it be an effective HR function for other organisations. As a consequence of being such a function, the organisation will continuously and systematically process personal data.
For the words “on a large scale,” the Board explains that while it is difficult to define these words exactly, the idea is that if the processing affects a significant number of data subjects, over a large geographical area, involving various systems, the processing is most likely happening on a large scale.
The GDPR is very clear on the organisations that require a Data Protection Officer. Organisations that:
- have core operations which include the processing of data through mass systematic and regular monitoring of data subjects; or
- process the special personal information (race, ethnicity, and biometric data) of data subjects on a large scale,
have to appoint a Data Protection Officer.
Put in the negative and to summarise, a private body does not have to appoint one if:
- its main activities only seldom involve monitoring data subjects and with little infringement on those data subjects’ rights,
- it does not process special personal information at all, or
- is only processing the special personal information of a small group of data subjects.
One for the Group
It is also possible, however, for organisations in a group structure to come together and appoint one even when the GDPR doesn’t require them to do so. But the Board Guidelines on Data Protection recommend that where it isn’t entirely obvious whether or not the GDPR requires them to have a Data Protection Officer, the organisations follow and document a step-by-step analysis of why they think they do not have to make the appointment. For the whole discussion from the Board, read the Board’s Guidelines on Data Protection Officers.
Actions you can take
- Answer the question “what is the GDPR,” and understand what it requires from your organisation by attending a GDPR workshop or asking us to answer your questions.
- Be well-placed to deliver on all the duties of the Data Protection Officer job by asking us to advise you.
- Subscribe to the Michalsons newsletter to receive future updates.